On Thu, May 29, 2008 at 10:14:12AM -0400, Victor Duchovni wrote: > And then knowing that attackers never choose these keys, users start > using these keys because attakers avoid them, and then attackers start > checking these first again, ... This way lies madness. Fix your premise > and don't change it in flight.
Agreed. Let's assume that users tend to pick the password "password" when given a choice. Now adversaries try the most common password, namely "password", first. Security conscious admins ban the word "password" as a password. Yes, this does reduce the keyspace a tiny bit. Do adversaries generally stop trying the password "password"? Not generally. For every security-conscious admin or user, there are 99 who are not. For every cutting-edge security expert, there are 99 bottom-feeders who will only get this information years later. I still hear of people trying to tftp /etc/passwd. I think that people will still be trying to brute-force their way in with these keys for ten years. I would ban the use of these keys to gain entry to anything, much like security-conscious admins ban easily-guessed passwords. Only the key space here is much, much larger than typical 8-character passwords, so this loss will be unnoticeable. I personally don't like the idea of generating keys that people will try, or using a weak/known key with small probability, but in this case I think it's so small that simply scanning for and banning such keys is good enough. I was hoping someone would release a tool to search for them in the authorized_keys files on any OS (e.g. my OpenBSD box), but AFAIK, nobody has. I certainly don't want a kluge to the RNG... -- Crypto ergo sum. https://www.subspacefield.org/~travis/ Truth does not fear scrutiny or competition, only lies do. If you are a spammer, please email [EMAIL PROTECTED] to get blacklisted. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
